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(54) Hybrid digital signature scheme 

(57) A signature scheme is provided in which a 
message is divided in to a first portion which is hidden 
and is recovered during verification, and a second por- 
tion which is visible and is required as input to the verifi- 
cation algorithm. A first signature component is 
generated by encrypting the first portion alone. An inter- 
mediate component is formed by combining the first 
component and the visible portion and cryptographically 
hashing them. A second signature component is then 
formed using the intermediate component and the sig- 
nature comprises the first and second components with 
the visible portion. A verification of the signature com- 
bines a first component derived only from the hidden 
portion of the message with the visible portion and pro- 
duces a hash of the combination. The computed hash is 
used together with publicly available information to gen- 
erate a bit string corresponding to the hidden portion. If 
the required redundancy is present the signature is 
accepted and the message reconstructed from the 
recovered bit string and the visible portion. 
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Description 

[0001] The present invention relates to methods 
and apparatus for digitally signing a message. 
[0002] Digital signatures are used to sign a mes- 
sage generated by a correspondent so that the origin 
and authenticity of the message may subsequently be 
verified, in its basic form, a digital signature of a mes- 
sage is generated by signing the message with the orig- 
inators private key. The message may then be 
recovered using the originators public key. A number of 
variants of this basic arrangement have been proposed 
with different attributes. Digital signature schemes are 
typically thought to fall Into two generic classes, nameiy 
digital signatures with appendix and digital signatures 
with message recovery. 

[0003] Digital signatures with appendix are catego- 
rized by the fact that the message signed is required as 
input to the verification algorithm. Although very popular 
(the DSS and ECDSA are examples of this mechanism) 
they may not provide as much bandwidth efficiency as 
other methods. 

[0004] Digital signatures with message recovery 
are categorized by the fact that the message is not 
required as input to the verification algorithm. One prob- 
lem with message recovery schemes is to defeat exis- 
tential forgery attacks by defining a suitable redundancy 
function which will distinguish messages legitimately 
signed from signatures of random bit strings. 
[0005] In many practical applications the data to be 
signed carries a certain amount of inherent redundancy. 
For example, four bytes of data might be reserved for 
the date but, In practice, 3 bytes suffice and so there are 
8 bits of redundancy from this field. In order to ensure 
security it is necessary to provide a predetermined 
degree of redundancy within the message and accord- 
ingly the bandwidth efficiency is reduced. 
[0006] To increase the bandwidth efficiency it is 
known to split the message in to two components, 
namely a hidden and a visible component. The hidden 
component is recovered during the verification process 
and the visible portion is used as an input to the recov- 
ery process. The hidden component must have suffi- 
cient redundancy to withstand an existential forgery 
attack and additional bits must be added to the mes- 
sage if it does not inherently possess this, in one of the 
proposed standards to implement such a scheme, ISO 
9796 Part 2, the hidden component is utilised to gener- 
ate a signature component c of the form 
D£S R [H//SHA1 (Vy/lyJ where 

H is the hidden component, 
V is the visible component 
l A is an identifier of the signer 
SHA1 (V) is a cryptographic hash of the visible com- 
ponent, and 

DES R Is an encryption of the bit string. 



This scheme however has the disadvantage that c is at 
least the number of bits in SHA1 (V) bits longer, and, as 
it is included in the signature, the required bandwidth 
efficiency may not be achieved. Moreover, the scheme 

5 requires invocation of two hash operations as the value 
c is subsequently hashed for Inclusion in the signature 
component. This computational complexity may make it 
unsuitable for certain applications. 
[0007] It is therefore an object of the present inven- 

10 tion to provide a signature scheme in which the above 
disadvantages are obviated or mitigated. 
[0008] In general teams, one aspect of the present 
invention provides a signature scheme in which a mes- 
sage is divided in to a first portion which is hidden and 

is is recovered during verification, and a second portion 
which is visible and is required as input to the verifica- 
tion algorithm. A first signature component is generated 
by encrypting the first portion alone. An intermediate 
component is formed by combining the first component 

20 and the visible portion and cryptographlcally hashing 
them. A second signature component is then formed 
using the intermediate component and the signature 
comprises the first and second components with the 
visible portion. 

25 [0009] The generation of the first component from 
the first portion alone reduces the necessary bandwidth 
and simplifies the computation. The relative sizes of the 
first and second portions are determined by the applica- 
tion itself. In this manner, the redundancy function can 

30 be application dependent as opposed to a global primi- 
tive. 

[0010] Recovery of the message can be completed 
using the signature and the public key of the sender. 
[001 1 ] According to a further aspect of the invention 

35 there is provided a verification of a signature of a mes- 
sage that has been subdivided into a hidden and visible 
portion. The verification combines a first component 
derived only from the. hidden portion of the message 
with the visible portion and produces a hash of the com- 

40 bination. The computed hash is used together with pub- 
licly available information to generate a bit string 
corresponding to the hidden portion. If the required 
redundancy is present the signature is accepted and the 
message reconstructed from the recovered bit string 

45 and the visible portion. 

[0012] Embodiments of the Invention will now be 
described by way of example only with reference to the 
accompanying drawings in which:- 

so Figure 1 is a schematic representation of a data 
communication system, 

Figure 2 is a flow chart showing the signature gen- 
eration, 

Figure 3 is a flow chart showing the verification of 
55 the signature of figure 2, and 

Figure 4 is a flow chart showing a further embodi- 
ment of signature generation. 
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[0013] Referring to Figure 1 , a data communication 
system includes a pair of correspondents 10, 12 
exchanging a message M over a communication chan- 
nel 14. Each of the correspondents 10, 12 includes a 
cryptographic unit 1 6, 1 8 respectively and a terminal 20, 
22 to generate and receive the message M. Each of the 
cryptographic units 16, 18 implements a public key 
encryption scheme that enables it to generate a session 
key, to encipher or decipher a message using the ses- 
sion key or sign a message using a private key which 
can then be recovered using a corresponding public 
key. The general implementation of such schemes and 
their operating principles are well known. The encryp- 
tion scheme may be loaded in to the encryption unit 
from a data carrier coded to implement the protocol 
under the direction of a general purpose computer or 
may be implemented on a chipset as preprogrammed 
instructions. 

[0014] In the preferred embodiment described 
below, the encryption scheme is based on the intracta- 
bility of the discrete log problem in finite groups and is 
implemented in an algebraic system defined on the 
points of an elliptic curve over a finite field, typically 
referred to as elliptic curve crypto systems. However, 
the signature scheme proposed may be applied to any 
ElGamal signature over any finite group. 
[0015] The domain parameters of such an elliptic 
curve crypto system are a curve of the form 
y 2 = x 3 +dx + c and a seed point P. One of the corre- 
spondents has a private key a, 0<a<n where n is the 
order of the point P and a corresponding public key 
Q A = aP . The public key may be held in a certifying 
authority 24 shown in communication with the corre- 
spondents 10, 12 by ghosted lines. 
[0016] The messages M generated by the corre- 
spondents 10, 12 are subdivided into two bit strings H 
and V ( i.e. M=H//V ) where H is a bit string which is hid- 
den and recovered during the verification process and V 
is a bit string which is also signed but is required as 
input to the verification process. 
[0017] The signature generation algorithm is set out 
in the flow chart of figure 2. Initially the bit string H is 
examined to determine if it contains redundancy above 
a predetermined limit sufficient to prevent an existential 
forgery attack. If the examination determines that the 
original data forming the message M contains enough 
redundancy then H may simply be a subset of that data. 
If the predetermined redundancy is not found then H 
may be modified to contain artificially added redun- 
dancy such as additional bytes of O's. 
[0018] By way of example, suppose 80 bits of 
redundancy is determined to be the predetermined 
lower limit for security reasons. If the bit string H con- 
tains no inherent redundancy then it would be neces- 
sary to add up to 10 bytes of O's. To permit recovery of 
the message an indicator would be included, conven- 
tently as a leading byte in either H or V, which tells the 
number of bytes of O's added. Since the value is 0 to 1 0, 



4 bits of the byte suffice as an indicator so the bit string 
contains an additional 4 bits of redundancy. If t is the 
number of redundancy bytes that can be added, then 
the data must inherently contain at least 80-Bt bits of 

5 redundancy. 

[0019] To sign the message M=H//V the corre- 
spondent 10 generates a random integer k, o<k<n in the 
cryptographic unit 14. Using k correspondent 10 then 
computes a value of a random point R = kP . 

10 [0020] A value c is then computed from the bit string 
H only such that c = SKE R (H) . SKE R refers to a sym- 
metric-key algorithm wider control of a key derived from 
the random point R. This could be derived by applying a 
function, such as a hash function, to R, truncating R, or 

75 using only one of the coordinates, e.g. the x coordinate 
as the key. If H is smaller than the key derived from R, 
then one possible SKE is simply to XOR H with a trun- 
cation of bits from the key derived from R. This effec- 
tively is a one-time pad. If H is larger than the key it is 

20 possible to use a DES based algorithm or simply to 
XOR repeatedly the key with H. 
[0021] Using the bit string V, an intermediate com- 
ponent c 1 is computed such that c'=SHA1 (c//V) where 
SHA1 is a cryptographically secure hash algorithm. If 

25 preferred, additional information such as a certificate or 
identifying information of correspondent 10 may be 
incorporated in to the hashed value c\ 
[0022] It will be noted that the signature component 
c is the same length as the hidden portion H as it is a bit 

30 wise encryption of that portion and that the intermediate 
component c 1 is obtained with a single hash operation. 
[0023] A signature component s is then computed 
from the values available to the correspondent 10 using 
any of the known ElGamal equations. A convenient 

35 equation is the Schnorr signature algorithm where 
s = c'a+k (mod n). A signature is then formed from the 
components (s,c, V) and forwarded to the correspondent 
12. 

[0024] Verification of the signature by correspond- 
40 ent 12 is performed by the application of the corre- 
sponding algorithm, as shown in figure 3 for the Schnorr 
signature. The correspondent 12 initially obtains an 
authentic copy of the public key Q A of the correspondent 
10 from the certifying authority 24. The correspondent 
45 12 then computes a value c"= SHA1 (c/A/) and derives 
from the information available in the signature, i.e. s,c,V 
and the system domain parameters, the values 

X = sP 

50 

Y = c»Q A 
Z = X-Y 

55 A bit string H 1 is then recovered by applying to the 
received signature component c the symmetric-key 
algorithm under control of a key derived from the point Z 
such that H = SKE 2 (c) . The bit string H' Is then exam- 
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ined to determine if it has the required redundancy and 
if so the correspondent 1 2 accepts the signature of M 
and reconstitutes the message as H7/V. 
[0025] Because the message M is subdivided, it is 
only necessary for the one portion, H, to contain the 
requisite redundancy. The other portion V, which is sent 
in the clear, may have the data structure of the original 
data and thereby improve the bandwidth efficiency. 
[0026] Another feature of this scheme which is of 
practical and commercial interest is that the information 
encoded in c is only available to those Individuals who 
have the public key Q A of correspondent 10. The data 
contained in V is available to all. There may be some 
information which correspondent 10 wants to hide from 
those not privy to Q A in which case the sender, i.e. cor- 
respondent 10 puts this information into the bit string H. 
[0027] For example, in one particular application 
where the signature is used to authenticate postage 
applied to mail, a mailer may not want a receiver to 
know how many mail pieces he has sent The post 
office {which verifies postage and therefore needs this 
information) has the public key of the mailer, and can 
recover this information on verification but the receiver 
cannot if he does not have the mailers public key. 
[0028] Of course, if the public key Q A of the sender 
is contained in the indicium then this is also available to 
the receiver. Alternatively, the senders public key may 
be contained in a certificate that can only be recovered 
if the receiver has the certifying authority's public key. If 
this is not generally available then the contents of H will 
be hidden from the receiver. 

[0029] As indicated above, alternative forms of 
signing equations may be used. In a further embodi- 
ment shown in the flow chart of figure 4, a signing equa- 
tion similar to the ECDSA standard is used. Normally in 
such an arrangement: - 

• R = kP 

• c = OES R (M) 

• i" = SHA1 (c) 

• s = k' 1 {SHA1 (c//ID A ) +a r*} mod n where ID A is 
an identifier of the sender 

• the signature is (s,c). 

When used with a hybrid scheme described above the 
scheme is modified such that 

• R = kP 

• c=DES R (H) 

• r* = SHA1 (c) 

• s = k* 1 {SHA1(c/A0+a r 4 } modn. 

• the signature is (s, c,V) 

Again therefore because only a portion H of the mes- 
sage is used to generate the first component c, only that 
portion requires a specified redundancy. In the balance 
of the message a reduced redundancy may be utilised 
to maintain bandwidth efficiency. 



[0030] The verification for the modified scheme will 
change accordingly to accommodate the partial mes- 
sage recovery and necessary redundancy. 



5 Claims 

1. A method of digitally signing a message exchanged 
between a pair of correspondents in a data trans- 
mission system, said method comprising the steps 

10 of subdividing said message into a pair of bit 
strings, utilising one of said bit strings to compute a 
first signature component, forming from said first 
signature component and another of said bit strings 
an intermediate signature component, utilising said 

15 intermediate component to provide a second signa- 
ture component and combining said first and sec- 
ond components with said other of said bit strings 
to provide a signature. 

20 2. A method according to claim 1 wherein redundancy 
in said one of said bit strings is compared to a pre- 
determined level prior to computing said first signa- 
ture component. 

25 3. A method according to claim 2 wherein said redun- 
dancy is adjusted to exceed said predetermined 
level. 

4. A method according to claim 3 wherein data is 
30 added to said one bit string to adjust said redun- 
dancy. 

5. A method according to claim 4 wherein an indicator 
is included in said one bit string to indicate the data 

35 added. 

6. A method according to claim 1 wherein said second 
component is generated by hashing said first com- 
ponent and said other bit string. 

40 

7. A method of verifying a message subdivided into a 
pair of bit strings fcom a signature including at least 
one component having only one of said bit strings 
encrypted therein, and the other of said bit strings, 

45 said method comprising the steps of combining 
said one component with the other bit string, recov- 
ering said one bit string from said combination 
using publicly available information of the purported 
signer and examining said recovered one bit string 

so for a predetermined characteristic. 

8. A method according to claim 7 wherein said combi- 
nation of said one component and said other bit 
string includes hashing a combination of said one 

55 component and said other bit string. 

9. A method according to claim 8 wherein said prede- 
termined characteristic is the redundancy of said 
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recovered one bit string. 

10. A method according to claim 9 wherein said signa- 
ture includes a second component derived from a 
combination of said one component and said other 5 
bit string and said one bit string is recovered utilis- 
ing said second component. 
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